CVE-2026-49278
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-49278
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rocket.chat rocket.chat to 8.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Rocket.Chat versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. It involves the visitors.info endpoint returning a token in its response, which appears to have no legitimate use case. The presence of this token in the response is considered a security risk, and the vulnerability was fixed by removing the token from the response in the specified versions.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Rocket.Chat installation to one of the fixed versions: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12.

This will ensure that the token is no longer returned in the visitors.info endpoint response, removing the security risk.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive tokens through the visitors.info endpoint. Since the token is returned in the response without a valid use case, it could be exploited by attackers to gain unauthorized access or escalate privileges, potentially compromising confidentiality, integrity, and availability of the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49278. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart